Overview

overview

10

Static

static

10

lionlee.exe

windows7_x64

10

lionlee.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    17-01-2022 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lionlee.exe

  • Size

    113KB

  • MD5

    3bd42085584a11f32b619102c57eba91

  • SHA1

    6ece11c3efec83e33b4acc1458aa62953891c420

  • SHA256

    6e0f7705c589e4fbfdd1b6c1431a675aa58b863a06448aaade026463f55024ff

  • SHA512

    dba8345d5697bfe778c7737c2f8d23bcb7dc092be253055608eb32785a73d87acc49c649d633ba59eaa6bed313962838b23823fa928610e6aa65dacf451d71df

Score
10/10
warzoneratinfostealerrat

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lionlee.exe
    "C:\Users\Admin\AppData\Local\Temp\lionlee.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1588
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="576.0.62599320\677459764" -parentBuildID 20200403170909 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 1 -prefMapSize 219799 -appdir "C:\Program Files\Mozilla Firefox\browser" - 576 "\\.\pipe\gecko-crash-server-pipe.576" 1248 gpu
        3⤵
          PID:1440
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="576.3.52805084\605817292" -childID 1 -isForBrowser -prefsHandle 1712 -prefMapHandle 1672 -prefsLen 156 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 576 "\\.\pipe\gecko-crash-server-pipe.576" 1068 tab
          3⤵
            PID:288
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="576.13.1287140460\1106641419" -childID 2 -isForBrowser -prefsHandle 2736 -prefMapHandle 2732 -prefsLen 7013 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 576 "\\.\pipe\gecko-crash-server-pipe.576" 2748 tab
            3⤵
              PID:540
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="576.14.1437995235\1197024914" -childID 3 -isForBrowser -prefsHandle 2756 -prefMapHandle 2736 -prefsLen 7013 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 576 "\\.\pipe\gecko-crash-server-pipe.576" 2828 tab
              3⤵
                PID:1544
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="576.21.1221496815\155219799" -childID 4 -isForBrowser -prefsHandle 3352 -prefMapHandle 3348 -prefsLen 7718 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 576 "\\.\pipe\gecko-crash-server-pipe.576" 3364 tab
                3⤵
                  PID:2160

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1588-54-0x0000000076421000-0x0000000076423000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1588-55-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
              Filesize

              1024KB

              Download